Are Cyber-Security Skills Due to Nature or Nurture?

Culture and language determine much of how we live, think and act. So does history. These factors could explain why the Netherlands has gained a reputation as a leading exporter of IT Cyber-Security.

This country has already defended and strengthened itself over the centuries against the sea, staking out territories for habitation and farming that would otherwise be under water. The idea of the dyke, the fortification to keep the enemy out, is now being applied in the war against cyber-crime.

To a certain degree, Dutch skills in cyber-security are natural, in that the nation already has a past steeped in similar threats and skills. However, that does not mean that other, landlocked nations have to be at a disadvantage.

Although dykes, windmills, tulips and bicycles make a romantic picture of the Netherlands, the realities of Dutch cyber-defence are different. There are three key aspects that help the country stay virtually strong.

The first is the collaboration between public and private entities to develop manifestos and communities to enhance data privacy and Internet of Things security, among others. The second is the responsibility placed on Dutch enterprises to report data breaches and attacks that could affect others (a legal requirement from January 2016).

The third is the realisation that security must be built into software and systems from the start, not just bolted on when the rest of the development work is done.

In a sense, from the physical dyke, the Netherlands is now moving to the virtual dyke and the micro-dyke. At the same time, the nurturing approach is strong too, educating and obliging organisations to contribute to a collective cyber-defence.

This approach is available for any community or nation that wishes to adopt it, as is the principle of designing in and testing security from the earliest stages of system development. Whether the sea and the dykes are a real factor in the current pre-eminence of the Netherlands in cyber-security, or just a historical accident, is another matter.

But for any other entity, if cyber-defence skills are not a natural strength, they will still have to be nurtured, if that entity is to avoid the risk of being submerged by cyber-attacks.